The RilExtender is loaded in the running com.android.phone
process's the main thread.
It installs a "service" exposing functions to callers with a custom Android permission net.scintill.rilextender.RILEXTENDER_CLIENT
(which apparently includes root
).
Since broadcasts were the only type of high-level IPC I could find, that didn't need to be defined in the manifest, that's what we use to receive requests and return answers. It's a bit of a mess, so I may want to find something else.
The app currently shows no icon in the launcher. It's only accessible through Android service calls. Here's how to use them from adb shell
as root
:
am startservice net.scintill.rilextender/.RilExtenderInstaller
# You may have to grant SuperUser permission in a dialog on the phone.
# If successful, a toast notification saying "RilExtender active" will appear in the upper-right corner of the screen. (Due to Superuser toasts blocking the display, it may take longer to show up than it actually takes to be ready.)
# If it's already loaded, no toast is shown.
am broadcast -a net.scintill.rilextender.ping
# Output: Broadcast completed: result=1, data="Bundle[{birthdate=1423787701642, version=11}]", extras: Bundle[mParcelledData.dataSize=76]
# If not alive (applies to all functions): Broadcast completed: result=0
am broadcast -a net.scintill.rilextender.iccio --ei command 192 --ei fileID 28542 --es path 3F007F20 --ei p1 0 --ei p2 0 --ei p3 15 --es data "" --es pin2 "" --es aid ""
# Output: Broadcast completed: result=1, data="Bundle[return=XXXX]", extras: Bundle[mParcelledData.dataSize=56]
am broadcast -a net.scintill.rilextender.oemrilrequestraw --es argHex 514f454d484f4f4b13000800080000000100000001000000
# Output: Broadcast completed: result=1, data="Bundle[return=]", extras: Bundle[mParcelledData.dataSize=36]
# (Check `logcat -b radio` for responses)
# Turn it off
am broadcast -a net.scintill.rilextender.oemrilrequestraw --es argHex 514f454d484f4f4b13000800080000000100000000000000
am broadcast -a net.scintill.rilextender.oemrilrequeststrings --es arg ATI
am broadcast -a net.scintill.rilextender.iccio
# Output: Broadcast completed: result=-1, data="expected int extra: command", extras: Bundle[mParcelledData.dataSize=96]
Something is wrong with the build process. To reliably (re)build the injected dex, you have to build twice. The first build doesn't properly package the secondary dex file in to the app.
Example logcat command to filter to output from this service:
adb logcat -s RilExtender,librilinject,CMDProcessor,lib__inject.bin__.so,System.err,su